Buffer Overflow Flaw Found in IBM’s Tivoli Storage

IBM warns that a security bug exists in the backup and retrieval system of its Tivoli Storage Manager Express that could allow unauthorized viewing of data saved on the system. IBM's Tivoli Storage Manager Express employs proven technology for backup and recovery of essential data.

IBM, which released the warning on January 11, 2008, advised users to immediately download and run a security patch to mend the heap overflow hole in the Express Server.

The security update contains version 5.3.7.3 that corrects a programming fault with which attackers could take full control of weak systems connected to the Internet. According to IBM, the fault is a buffer overflow that enables to execute any type of malicious software and with system privileges.

The Readme file, however, does not mention the security hole. It only tells that the security update provides support for IBM's 3362-2LX Tape Autoloader and also includes fixes for some minor bugs. The company recommends administrators to install the patch at the earliest, or restrict access to network to only servers of trustworthy customers.

According to the security alert, an attacker desiring to cause a heap overflow could send specially developed packets to any server of TSM Express by directly activating its TCP socket in place of the TSM user. The heap overflow could let anyone to remotely inject malicious code straight to a TSM Express server with system rights.

The latest flaw in TSM Express was detected at maker of security application, TippingPoint, a unit of 3Com, Inc.

It is now the second time that IBM has issued an advisory in four months that mentions about plugging security holes in Tivoli Storage Manager. In September 2007, the organization recommended patches to customers for two flaws in the TSM backup system in order to prevent data exposure.

IBM said that by exploiting the buffer overflow in TSM, hackers could corrupt the code of backup software in two different ways. It could cause collapse of an operating system, or create a situation for execution of arbitrary code. It could also let someone exploit the server initiated scheduling to access others people's private information.